Deployment Architecture

We have two indexers in our cluster with SF=2 and RF=2. From the past week I am observing that there is huge difference(almost 8K) in buckets between the indexers. is this normal or we need to take any action?

Explorer

And also I observed that we are getting following error frequently.

Problem replicating config (bundle) to search peer ':8089',Reading reply to upload: rv=-2, Receive from=https://:8089 timed out; exceeded 60sec, as per=distsearch.conf/[replicationSettings]/sendRcvTimeout

If there anyone who had the same problem and solved, please provide the solution for. Thanks

0 Karma

Communicator

Hi Motkarnaresh,

i think the rrror you postet is not causing the bucket replication issue you describe in your headline.

The error you postet is a knowledge bundle replication error between your searchhead and the indexer. It just means that the knowledge bundle which is replicated from your search head to the indexers did not finish the replication within 60 seconds. This can happen when the replicated bundle is simply to big to finish replication within the default 60 seconds.

Take a look at distsearch.conf for some configuration possibilities for example you can set sendRcvTimeout Parameter a little higher, but i would prefer to check how big your bundles are.

Path --> $SPLUNk_HOME_SEARCH_HEAD/var/run

in addition you can check this to edit your knowledge bundles. Often big lookups cause this problem.

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Configuredistributedsearch#Limit_the_knowledg...

If nothing of this can help you should check your network performance.

Are there any other warnings or errors on your search peers that can explain your difference in bucket replication?

kind regards

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!